qa-only
Conducts thorough QA testing on web applications, generating detailed reports without fixing any issues.
Install this skill
Security score
The qa-only skill was audited on Jun 10, 2026 and we found 94 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 33 | ```bash |
Template literal with variable interpolation in command context
| 283 | ```bash |
Template literal with variable interpolation in command context
| 418 | ```bash |
Template literal with variable interpolation in command context
| 452 | echo "before relying on \`gbrain search\` for code questions in this worktree." |
Template literal with variable interpolation in command context
| 580 | ```bash |
Curl to non-GitHub URL
| 802 | curl -fsSL "https://bun.sh/install" -o "$tmpfile" |
Fetch to external URL
| 894 | - API endpoints → test them directly with `$B js "await fetch('/api/...')"` |
Access to hidden dotfiles in home directory
| 34 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 36 | mkdir -p ~/.gstack/sessions |
Access to hidden dotfiles in home directory
| 37 | touch ~/.gstack/sessions/"$PPID" |
Access to hidden dotfiles in home directory
| 38 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
Access to hidden dotfiles in home directory
| 39 | find ~/.gstack/sessions -mmin +120 -type f -exec rm {} + 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 40 | _PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true") |
Access to hidden dotfiles in home directory
| 41 | _PROACTIVE_PROMPTED=$([ -f ~/.gstack/.proactive-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 44 | _SKILL_PREFIX=$(~/.claude/skills/gstack/bin/gstack-config get skill_prefix 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 48 | source <(~/.claude/skills/gstack/bin/gstack-repo-mode 2>/dev/null) || true |
Access to hidden dotfiles in home directory
| 51 | _SESSION_KIND=$(~/.claude/skills/gstack/bin/gstack-session-kind 2>/dev/null || echo "interactive") |
Access to hidden dotfiles in home directory
| 54 | _LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 56 | _TEL=$(~/.claude/skills/gstack/bin/gstack-config get telemetry 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 57 | _TEL_PROMPTED=$([ -f ~/.gstack/.telemetry-prompted ] && echo "yes" || echo "no") |
Access to hidden dotfiles in home directory
| 62 | _EXPLAIN_LEVEL=$(~/.claude/skills/gstack/bin/gstack-config get explain_level 2>/dev/null || echo "default") |
Access to hidden dotfiles in home directory
| 65 | _QUESTION_TUNING=$(~/.claude/skills/gstack/bin/gstack-config get question_tuning 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 67 | mkdir -p ~/.gstack/analytics |
Access to hidden dotfiles in home directory
| 69 | echo '{"skill":"qa-only","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(_repo=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null | tr -cd 'a-zA-Z0-9._-'); echo "${_repo:-unknown |
Access to hidden dotfiles in home directory
| 71 | for _PF in $(find ~/.gstack/analytics -maxdepth 1 -name '.pending-*' 2>/dev/null); do |
Access to hidden dotfiles in home directory
| 73 | if [ "$_TEL" != "off" ] && [ -x "~/.claude/skills/gstack/bin/gstack-telemetry-log" ]; then |
Access to hidden dotfiles in home directory
| 74 | ~/.claude/skills/gstack/bin/gstack-telemetry-log --event-type skill_run --skill _pending_finalize --outcome unknown --session-id "$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 80 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 86 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 3 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 91 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"qa-only","event":"started","branch":"'"$_BRANCH"'","session":"'"$_SESSION_ID"'"}' 2>/dev/null & |
Access to hidden dotfiles in home directory
| 96 | _ROUTING_DECLINED=$(~/.claude/skills/gstack/bin/gstack-config get routing_declined 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 107 | _CHECKPOINT_MODE=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_mode 2>/dev/null || echo "explicit") |
Access to hidden dotfiles in home directory
| 108 | _CHECKPOINT_PUSH=$(~/.claude/skills/gstack/bin/gstack-config get checkpoint_push 2>/dev/null || echo "false") |
Access to hidden dotfiles in home directory
| 129 | In plan mode, allowed because they inform the plan: `$B`, `$D`, `codex exec`/`codex review`, writes to `~/.gstack/`, writes to the plan file, and `open` for generated artifacts. |
Access to hidden dotfiles in home directory
| 137 | If `SKILL_PREFIX` is `"true"`, suggest/invoke `/gstack-*` names. Disk paths stay `~/.claude/skills/gstack/[skill-name]/SKILL.md`. |
Access to hidden dotfiles in home directory
| 139 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with |
Access to hidden dotfiles in home directory
| 144 | - Missing `~/.claude/skills/gstack/.feature-prompted-continuous-checkpoint`: AskUserQuestion for Continuous checkpoint auto-commits. If accepted, run `~/.claude/skills/gstack/bin/gstack-config set che |
Access to hidden dotfiles in home directory
| 145 | - Missing `~/.claude/skills/gstack/.feature-prompted-model-overlay`: inform "Model overlays are active. MODEL_OVERLAY shows the patch." Always touch marker. |
Access to hidden dotfiles in home directory
| 158 | If B: run `~/.claude/skills/gstack/bin/gstack-config set explain_level terse`. |
Access to hidden dotfiles in home directory
| 162 | rm -f ~/.gstack/.writing-style-prompt-pending |
Access to hidden dotfiles in home directory
| 163 | touch ~/.gstack/.writing-style-prompted |
Access to hidden dotfiles in home directory
| 172 | touch ~/.gstack/.completeness-intro-seen |
Access to hidden dotfiles in home directory
| 185 | If A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry community` |
Access to hidden dotfiles in home directory
| 195 | If B→A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry anonymous` |
Access to hidden dotfiles in home directory
| 196 | If B→B: run `~/.claude/skills/gstack/bin/gstack-config set telemetry off` |
Access to hidden dotfiles in home directory
| 200 | touch ~/.gstack/.telemetry-prompted |
Access to hidden dotfiles in home directory
| 213 | If A: run `~/.claude/skills/gstack/bin/gstack-config set proactive true` |
Access to hidden dotfiles in home directory
| 214 | If B: run `~/.claude/skills/gstack/bin/gstack-config set proactive false` |
Access to hidden dotfiles in home directory
| 218 | touch ~/.gstack/.proactive-prompted |
Access to hidden dotfiles in home directory
| 260 | If B: run `~/.claude/skills/gstack/bin/gstack-config set routing_declined true` and say they can re-enable with `gstack-config set routing_declined false`. |
Access to hidden dotfiles in home directory
| 264 | If `VENDORED_GSTACK` is `yes`, warn once via AskUserQuestion unless `~/.gstack/.vendoring-warned-$SLUG` exists: |
Access to hidden dotfiles in home directory
| 276 | 3. Run `~/.claude/skills/gstack/bin/gstack-team-init required` (or `optional`) |
Access to hidden dotfiles in home directory
| 278 | 5. Tell the user: "Done. Each developer now runs: `cd ~/.claude/skills/gstack && ./setup --team`" |
Access to hidden dotfiles in home directory
| 284 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 285 | touch ~/.gstack/.vendoring-warned-${SLUG:-unknown} |
Access to hidden dotfiles in home directory
| 427 | _BRAIN_SYNC_BIN="~/.claude/skills/gstack/bin/gstack-brain-sync" |
Access to hidden dotfiles in home directory
| 428 | _BRAIN_CONFIG_BIN="~/.claude/skills/gstack/bin/gstack-config" |
Access to hidden dotfiles in home directory
| 532 | If A/B and `~/.gstack/.git` is missing, ask whether to run `gstack-artifacts-init`. Do not block the skill. |
Access to hidden dotfiles in home directory
| 537 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --discover-new 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 538 | "~/.claude/skills/gstack/bin/gstack-brain-sync" --once 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 581 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" |
Access to hidden dotfiles in home directory
| 598 | ~/.claude/skills/gstack/bin/gstack-decision-search --recent 5 2>/dev/null |
Access to hidden dotfiles in home directory
| 607 | **Cross-session decisions.** If `ACTIVE DECISIONS` are listed, treat them as prior settled calls with their rationale — do not silently re-litigate them; if you're about to reverse one, say so explici |
Access to hidden dotfiles in home directory
| 620 | Curated jargon list lives at `~/.claude/skills/gstack/scripts/jargon-list.json` (80+ terms). On the first jargon term you encounter this session, Read that file once; treat the `terms` array as the ca |
Access to hidden dotfiles in home directory
| 666 | Before each AskUserQuestion, choose `question_id` from `scripts/question-registry.ts` or `{skill}-{slug}`, then run `~/.claude/skills/gstack/bin/gstack-question-preference --check "<id>"`. `AUTO_DECID |
Access to hidden dotfiles in home directory
| 674 | ~/.claude/skills/gstack/bin/gstack-question-log '{"skill":"qa-only","question_id":"<id>","question_summary":"<short>","category":"<approval|clarification|routing|cherry-pick|feedback-loop>","door_type |
Access to hidden dotfiles in home directory
| 683 | ~/.claude/skills/gstack/bin/gstack-question-preference --write '{"question_id":"<id>","preference":"<pref>","source":"inline-user","free_text":"<optional original words>"}' |
Access to hidden dotfiles in home directory
| 698 | Before building anything unfamiliar, **search first.** See `~/.claude/skills/gstack/ETHOS.md`. |
Access to hidden dotfiles in home directory
| 703 | jq -n --arg ts "$(date -u +%Y-%m-%dT%H:%M:%SZ)" --arg skill "SKILL_NAME" --arg branch "$(git branch --show-current 2>/dev/null)" --arg insight "ONE_LINE_SUMMARY" '{ts:$ts,skill:$skill,branch:$branch,i |
Access to hidden dotfiles in home directory
| 721 | ~/.claude/skills/gstack/bin/gstack-learnings-log '{"skill":"SKILL_NAME","type":"operational","key":"SHORT_KEY","insight":"DESCRIPTION","confidence":N,"source":"observed"}' |
Access to hidden dotfiles in home directory
| 731 | `~/.gstack/analytics/`, matching preamble analytics writes. |
Access to hidden dotfiles in home directory
| 738 | rm -f ~/.gstack/analytics/.pending-"$_SESSION_ID" 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 740 | ~/.claude/skills/gstack/bin/gstack-timeline-log '{"skill":"SKILL_NAME","event":"completed","branch":"'$(git branch --show-current 2>/dev/null || echo unknown)'","outcome":"OUTCOME","duration_s":"'"$_T |
Access to hidden dotfiles in home directory
| 743 | echo '{"skill":"SKILL_NAME","duration_s":"'"$_TEL_DUR"'","outcome":"OUTCOME","browse":"USED_BROWSE","session":"'"$_SESSION_ID"'","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}' >> ~/.gstack/analytics/skill- |
Access to hidden dotfiles in home directory
| 746 | if [ "$_TEL" != "off" ] && [ -x ~/.claude/skills/gstack/bin/gstack-telemetry-log ]; then |
Access to hidden dotfiles in home directory
| 747 | ~/.claude/skills/gstack/bin/gstack-telemetry-log \ |
Access to hidden dotfiles in home directory
| 829 | _CROSS_PROJ=$(~/.claude/skills/gstack/bin/gstack-config get cross_project_learnings 2>/dev/null || echo "unset") |
Access to hidden dotfiles in home directory
| 832 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 10 --cross-project 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 834 | ~/.claude/skills/gstack/bin/gstack-learnings-search --limit 10 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 849 | If A: run `~/.claude/skills/gstack/bin/gstack-config set cross_project_learnings true` |
Access to hidden dotfiles in home directory
| 850 | If B: run `~/.claude/skills/gstack/bin/gstack-config set cross_project_learnings false` |
Access to hidden dotfiles in home directory
| 866 | 1. **Project-scoped test plans:** Check `~/.gstack/projects/` for recent `*-test-plan-*.md` files for this repo |
Access to hidden dotfiles in home directory
| 869 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" |
Access to hidden dotfiles in home directory
| 870 | ls -t ~/.gstack/projects/$SLUG/*-test-plan-*.md 2>/dev/null | head -1 |
Access to hidden dotfiles in home directory
| 1165 | eval "$(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)" && mkdir -p ~/.gstack/projects/$SLUG |
Access to hidden dotfiles in home directory
| 1167 | Write to `~/.gstack/projects/{slug}/{user}-{branch}-test-outcome-{datetime}.md` |
Access to hidden dotfiles in home directory
| 1192 | ~/.claude/skills/gstack/bin/gstack-learnings-log '{"skill":"qa-only","type":"TYPE","key":"SHORT_KEY","insight":"DESCRIPTION","confidence":N,"source":"SOURCE","files":["path/to/relevant/file"]}' |
External URL reference
| 168 | If `LAKE_INTRO` is `no`: say "gstack follows the **Boil the Ocean** principle — do the complete thing when AI makes marginal cost near-zero. Read more: https://garryslist.org/posts/boil-the-ocean" Off |
External URL reference
| 171 | open https://garryslist.org/posts/boil-the-ocean |
External URL reference
| 769 | | Target URL | (auto-detect or required) | `https://myapp.com`, `http://localhost:3000` | |
External URL reference
| 802 | curl -fsSL "https://bun.sh/install" -o "$tmpfile" |
External URL reference
| 901 | $B goto http://localhost:3000 2>/dev/null && echo "Found app on :3000" || \ |
External URL reference
| 902 | $B goto http://localhost:4000 2>/dev/null && echo "Found app on :4000" || \ |
External URL reference
| 903 | $B goto http://localhost:8080 2>/dev/null && echo "Found app on :8080" |